Apparently, the latest patch of the Java security vulnerabilities is not so secure itself:

Quote

Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday.

Unfortunately, these flaws means that people are recommended in many places and news items these days to uninstall java from their systems:

Quote

For the time being, given the apparent similarity of this flaw to the ones previously reported, users are advised to either disable Java in their browsers or uninstall it completely to avoid falling prey to any future exploits.

Just read the Register article. This looks grim. I wonder why Oracle or the OpenJDK devs are not jumping on this, even if the issue is eventually fixed, failing to provide a quick solution could result in enough user backlash to effectively kill Java.

It turns out that a significant number of people visit dodgy websites but won't actually admit it to anyone.It also turns out that other people living in your home network might visit dodgy websites and let something nasty into your house.Or someone in the office might visit somewhere dodgy and the next thing you know every PC in the office is fuxx0red. Then someone takes his infected laptop home and plugs it in.

It's a terrible situation and could really have done with patching within 24 hours of being noticed. Oracle have really screwed up.

Also these sort of things don't usually spread by people intentionally visiting dodgy websites but by things like people receiving links in email which they click (or on Facebook or some other genuine site) . Once infected then the usual multiplication cycle begins i.e. the malicious app sends more links to the list of contacts on the compromised machine.

I've personally disabled the Java browser plugin, despite having updated to the latest patch. The thing is, how effective is this at preventing infection?

Also, I'm of the opinion that people should be able to visit dodgy websites if they like. The issue here is not a user doing something stupid like clicking on an executable, but rather a part of the software that is supposed to be secure failing in its task.

As they say, it takes two to tango - the JRE browser plug in is a huge security risk, but unfortunately the browser security net isn't tight enough to catch things falling through the holes, and nor is the OS because the JRE effectively runs with administrative permissions.

The JRE should only ever have been allowed to run with the credentials of a restricted user account. This goes for Mac OS and Linux as well, but sadly I believe on all 3 desktop OSes the JRE has "root". Duh. Unbelievable really but there we go. Everyone involved in the toolchain is to blame for spectacular shortsightedness.

HTML5... you mean that thing that takes all those ideas from the Netscape/IE6 era and builds a "standard" API around them? As bad as all the plug ins creators are in terms of security, I almost feel bad for them. They don't get the plausible deniability that comes with adopting meaningless terms to describe their products, even if just a few tightly connected companies are the ones trying to force feature creep in web browsers. When Flash, Java, or Windows go unpatched for a week it's bad and bloggers know what brands to blame, but when a web browser supports ridiculous features that only serve to help virus writers and advertising companies it's touted as innovation and gets invariably good press. It doesn't matter if it's unpatched for 6 weeks or 6 years. And it doesn't matter if it's insecure by design. It only matters if the problem is fairly invisible and can be patched through public relations instead of software changes.

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org